Solved

Admin Rights in GPO to Run a .BAT File

Posted on 2013-01-16
6
852 Views
Last Modified: 2013-01-16
Hello,

I am trying to run a simple .BAT file that will get rid of previous versions of Java and I want to use Group Policy to distribute it.  I have it setup as a startup script in the Group Policy Manager and it works great ... as long as the user logs in with the local or domain Admin account :S

I thought using the startup script in GPM automatically used system admin rights.  Did I miss a step there?

I've tried to find a few simple solutions across the web, but they all seem to involve putting the admin account info in the BAT file ... something I do NOT want to do.

BTW, I am far from a programmer (my BAT file simply has one command in it).  So bear with me.  Also running a Windows 2008 R2 environment and the client machines are Win7.

Any help would be appreciated.
0
Comment
Question by:qec-dpenney
  • 3
  • 2
6 Comments
 
LVL 84

Expert Comment

by:oBdA
ID: 38782813
You're not using a startup script then, but a logon script.
Look under "Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)".
The startup script will run with System rights, and it will run without a user logging on.
Use this batch file as a template; it will create a startup.log file in %Systemroot%\Temp:
>>"C:Windows\Temp\startup.log" echo Startup script started at %Date% %Time%
>>"%Systemroot%\Temp\startup.log"  echo Running as:
whoami.exe >>"%Systemroot%\Temp\startup.log"
REM Your Java command:

Open in new window

Then assign the GPO to a test computer and reboot the machine. You can check whether the script ran without logging on; in an elevated command prompt, enter type \\TestMachine\Admin$\Temp\startup.log.
0
 

Author Comment

by:qec-dpenney
ID: 38782887
Here is the odd thing ... it is setup under the Startup script ... and I assume the BAT is running at start up since the login in process really takes no time at all to load.  However, If I log as the user, Java is not removed, if I log as either the local or domain admin, Java is removed.

I will try your test BAT though and get back to you, just to make sure I didn't mess anything up.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 38782951
Are you using the script here to remove Java ??

http://community.spiceworks.com/scripts/show/1449-uninstall-java-6
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:qec-dpenney
ID: 38782975
Yes, but just the command line.  This is my '.BAT file';

wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive

wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive

wmic product where "name like 'Java 7%%'" call uninstall /nointeractive

exit
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 38783003
Try this then; it adds some more logging:
@echo off
>>"C:Windows\Temp\startup.log" echo Startup script started at %Date% %Time%
>>"%Systemroot%\Temp\startup.log"  echo Running as:
whoami.exe >>"%Systemroot%\Temp\startup.log"
>>"C:Windows\Temp\startup.log" echo %Time% Uninstalling 'Java(TM) 6%%%%' ...
wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive >>"%Systemroot%\Temp\startup.log" 2>&1
>>"C:Windows\Temp\startup.log" echo %Time% Uninstalling 'Java(TM) 7%%%%' ...
wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive >>"%Systemroot%\Temp\startup.log" 2>&1
>>"C:Windows\Temp\startup.log" echo %Time% Uninstalling 'Java 7%%%%' ...
wmic product where "name like 'Java 7%%'" call uninstall /nointeractive >>"%Systemroot%\Temp\startup.log" 2>&1
>>"C:Windows\Temp\startup.log" echo Startup script ended at %Date% %Time%

Open in new window

0
 

Author Comment

by:qec-dpenney
ID: 38783328
It looks like it is now working.  Thanks for your help with this.  I updated my BAT file with your improved logging BAT file (didn't change any of the GPO settings though) and it looks like it is working.

I think my issue was I was expecting the GPO update to occur too quickly.  With my testing, I had to reboot 3 or 4 times in order for the update to occur, but I kept logging in as a local user (no admin rights) and eventually all Java instances disappeared.

Your logging BAT file helped me determine if it was running and if it was successful (had a couple of 1603 instances instead of 0 ... that may have been an issue as well)

Thanks for your help.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question